MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:Georgi Kodinov Date:August 27 2009 7:27am
Subject:bzr commit into mysql-5.0-bugteam branch (joro:2795) Bug#37044
View as plain text  
#At file:///home/kgeorge/mysql/work/B37044-5.0-bugteam/ based on revid:joro@stripped

 2795 Georgi Kodinov	2009-08-24
      Bug #37044: Read overflow in opt_range.cc found during "make test"
      
      The code was using a special global buffer for the value of IS NULL ranges.
      This was not always long enough to be copied by a regular memcpy. As a 
      result read buffer overflows may occur.
      Fixed by setting the null byte to 1 and setting the rest of the field disk image
      to NULL with a bzero (instead of relying on the buffer and memcpy()).

    modified:
      sql/opt_range.cc
=== modified file 'sql/opt_range.cc'
--- a/sql/opt_range.cc	2009-08-19 14:53:43 +0000
+++ b/sql/opt_range.cc	2009-08-24 12:28:03 +0000
@@ -8308,11 +8308,21 @@ get_constant_key_infix(KEY *index_info, 
       return FALSE;
 
     uint field_length= cur_part->store_length;
-    if ((cur_range->maybe_null &&
+    if (cur_range->maybe_null &&
          cur_range->min_value[0] && cur_range->max_value[0])
-        ||
-        (memcmp(cur_range->min_value, cur_range->max_value, field_length) == 0))
-    { /* cur_range specifies 'IS NULL' or an equality condition. */
+    { 
+      /*
+        cur_range specifies 'IS NULL'. In this case the argument points to a "null value" (is_null_string)
+        that may not always be long enough for a direct memcpy to a field.
+      */
+      DBUG_ASSERT (field_length > 0);
+      *key_ptr= 1;
+      bzero(key_ptr+1,field_length-1);
+      key_ptr+= field_length;
+      *key_infix_len+= field_length;
+    }
+    else if (memcmp(cur_range->min_value, cur_range->max_value, field_length) == 0)
+    { /* cur_range specifies an equality condition. */
       memcpy(key_ptr, cur_range->min_value, field_length);
       key_ptr+= field_length;
       *key_infix_len+= field_length;


Attachment: [text/bzr-bundle] bzr/joro@sun.com-20090824122803-1d5jlaysjc7a7j6q.bundle
Thread
bzr commit into mysql-5.0-bugteam branch (joro:2795) Bug#37044Georgi Kodinov27 Aug